from the well,-not-*completely*-legal dept

A couple of weeks ago, we reported on a small but important defeat for the UK government when the Investigatory Powers Tribunal (IPT) ruled that intelligence sharing between the NSA and GCHQ was unlawful. Now, in a sign that the cracks in the UK's impenetrable silence on its surveillance activities are beginning to spread, the Guardian reports on the following surprising development:

The regime under which UK intelligence agencies, including MI5 and MI6, have been monitoring conversations between lawyers and their clients for the past five years is unlawful, the British government has admitted.

Here's why the UK government has suddenly started owning up to these misdeeds:

The admission that the regime surrounding state snooping on legally privileged communications has also failed to comply with the European convention on human rights comes in advance of a legal challenge, to be heard early next month, in which the security services are alleged to have unlawfully intercepted conversations between lawyers and their clients to provide the government with an advantage in court.

Remarkably, the confession has brought with it an unprecedented explanatory statement:

"In view of recent IPT judgments, we acknowledge that the policies adopted since [January] 2010 have not fully met the requirements of the ECHR, specifically article 8 (right to privacy). This includes a requirement that safeguards are made sufficiently public.

"It does not mean that there was any deliberate wrongdoing on their part of the security and intelligence agencies, which have always taken their obligations to protect legally privileged material extremely seriously. Nor does it mean that any of the agencies' activities have prejudiced or in any way resulted in an abuse of process in any civil or criminal proceedings."

This surprise admission shows once again the value of taking legal action against government surveillance, even when the odds of succeeding seem slim. Twice now the UK has revealed details purely as a result of challenges. Perhaps even more importantly, twice now the UK government's standard response to leaks -- that it wouldn't confirm or deny anything, but the British public could rest assured that whatever may have happened was completely legal -- has been shown to be false.

from the um,-what? dept

We already wrote about surveillance state opportunists like Michael Hayden using the Charlie Hebdo attacks as evidence for why the surveillance state should be allowed to spy on everyone, and now the head of the UK's MI5 intelligence agency has similarly used the attack as an excuse to demand more surveillance powers:

The head of MI5, Andrew Parker, has called for new powers to help fight Islamist extremism, warning of a dangerous imbalance between increasing numbers of terrorist plots against the UK and a drop in the capabilities of intelligence services to snoop on communications....

[....]

“If we are to do our job, MI5 will continue to need to be able to penetrate their communications as we have always done. That means having the right tools, legal powers and the assistance of companies which hold relevant data. Currently, this picture is patchy.”

What's especially sickening about this is that this argument "works" for surveillance state opportunists whether they succeed or fail. If they actually do stop terrorist threats (and in the same speech Parker claims they have stopped a few planned attacks in "recent months" but fails to provide any details), they use that to claim that the surveillance works and they need to do more. Yet when they fail to stop an attack -- as in the Charlie Hebdo case -- they don't say it's because the surveillance failed, instead, it's because they didn't have enough data or enough powers to collect more data. In other words, succeed or fail, the argument is always the same: give us more access to more private data.

And they'll claim this again and again, even as it's been shown over and over again that grabbing more garbage data actually makes it that much more difficult to find relevant data. Piling more hay onto the haystack doesn't make the needles easier to find. It makes them much harder to find and often sends you digging through piles of hay for a needle you think you saw, but isn't really there. Yet that never seems to enter the equation. It's as if those in the surveillance business don't understand the idea of quantity over quality.

And this goes beyond just the general desire for "more" power, to a ridiculous belief among some in the power of algorithms to sort through this data. The power of "big data" can be useful in many ways, but people get so obsessed with the magic of algorithms and the power in "big data" that they forget that these things are imperfect, and the ability to sort through massive piles of data for relevant information and links is incredibly limited and faulty. Yet, because a computer does it, they get all excited and think it's all powerful. It's this mistaken belief in the power of the algorithms that leads them to always assume that "more data is better" and the end result, unfortunately, is continuously stripping away privacy, in search of some tiny marginal benefit that may not even exist.

I must emphasise that these [new surveillance] powers are limited and they do not mandate the retention of and access to data that would in all cases identify a suspect who has, for example, been accessing servers hosting illegal content. The progress in this Bill is welcome -- but we will still need to return to the Communications Data Bill in the next Parliament.

Of course, that would mean finding some way to win support for an intrusive Communications Data Bill, which provoked such a strong reaction the last time it was discussed. So it's interesting coincidence that the day after that place-marker by the Home Secretary, a new report (pdf, and embedded below) has been published on a particularly brutal terrorist attack that took place on the streets of London last year. The report comes from the UK's Intelligence and Security Committee (ISC), which was roundly condemned by a Parliamentary committee earlier this year for being out of touch and ineffectual. It was asked to examine what lessons could be learned from the failure to stop the attack, given that both the two men convicted of murdering the British soldier Fusilier Rigby were known to the UK intelligence service. Here's a summary of the findings from the press release (pdf):

The two men appeared, between them, in seven different Agency investigations -- for the most part as low-level Subjects of Interest. There were errors in these operations, where processes were not followed, decisions not recorded, or delays encountered. However we do not consider that any of these errors, taken individually, were significant enough to have made a difference.

We have also considered whether, taken together, these errors may have affected the outcome. We have concluded that, given what the Agencies knew at the time, they were not in a position to prevent the murder of Fusilier Rigby.

That is, despite tracking the two men responsible for the attack several times in earlier investigations, and despite making errors, the Agency -- MI5 -- is absolved of responsibility for what happened. But of course, for such a heinous crime -- the soldier was hacked to death on a public street in broad daylight -- a guilty party must be found. Here's what the ISC came up with:

The one issue which we have learned of which, in our view, could have been decisive only came to light after the attack. This was an online exchange in December 2012 between Adebowale and an extremist overseas, in which Adebowale expressed his intent to murder a soldier in the most graphic and emotive manner. This was highly significant. Had MI5 had access to this exchange at the time, Adebowale would have become a top priority. There is then a significant possibility that MI5 would have been able to prevent the attack.

We have examined whether the Agencies could have discovered this intelligence before the attack, had they had cause to do so: it is highly unlikely. What is clear is that the one party which could have made a difference was the company on whose system the exchange took place. However, this company does not regard themselves as under any obligation to ensure that they identify such threats, or to report them to the authorities. We find this unacceptable: however unintentionally, they are providing a safe haven for terrorists.

That "safe haven for terrorists" is, of course, precisely the rhetoric used by other senior intelligence officers, in what looks increasingly like a co-ordinated attack on Internet companies and the encryption technologies that are increasingly being deployed. The ISC is quite clear what is needed -- more surveillance:

Our Report considers the wider relationship between law enforcement authorities and Communications Service Providers. None of the major US companies we approached proactively monitor and review suspicious content on their systems, largely relying on users to notify them of offensive or suspicious content.

Well, that's because they are communications companies: they provide ways to communicate, just like phone companies or the post system. There's no more reason they should be monitoring every piece of content on their systems than telephone companies should monitor the content of calls, or post offices the content of letters. It's not their job, and would in any case be an extraordinary invasion of privacy.

We also found that none of them regard themselves as compelled to comply with UK warrants obtained under the Regulation of Investigatory Powers Act 2000.

That's probably because they are generally US companies, subject to US law. If the UK were to insist that they complied with UK warrants as if they were UK companies, it will have to be prepared for UK companies providing services abroad to be subject to Russian and Chinese legal demands too. Is that really what it wants? The Commission then goes on to make its drift quite clear:

We note that the Government has already started to take action on these issues, through the Data Retention and Investigatory Powers Act 2014 and the appointment of the Special Envoy on intelligence and law enforcement data sharing. However, the problem is acute: until it is resolved the British public are exposed to a higher level of threat.

That is, far from letting considerations of privacy temper some of the more extreme counter-terrorism measures brought in recently, the ISC is hinting that the UK government should abrogate even more British freedoms -- purely to protect British freedoms, you understand.

That the ISC's report into the attack turns out to be a whitewash is no surprise. Earlier this month, the UK's leading human rights groups decided to boycott another inquiry that it would be conducting, since they had "lost all trust in the committee’s ability to uncover the truth." And just before the ISC report was published, it was claimed that the committee had "failed to speak to witnesses who say the plot's leader was repeatedly contacted by the security services before the attack":

Those making the allegations say they raise concerns about MI5’s conduct and offer a possible explanation of what contributed to his transformation from extremist into terrorist murderer.

Adebolajo has said he was repeatedly pressed by the security services to turn informant for three years before he and Adebowale murdered Rigby.

Here's what the report says on this potentially crucial matter:

In relation to the allegations that MI5 had been trying to recruit Adebolajo as an agent, MI5 has argued that it would be damaging to national security to comment on such allegations. All allegations concerning MI5’s recruitment of agents -- whether true or not -- fall under their ‘Neither Confirm Nor Deny’ (NCND) policy.

How convenient. But it's not the only thing that's convenient in this story. As the above indicates, the existence of messages between one of the killers and an extremist overseas allowed the report to absolve the UK's security services, and blame Facebook. But where exactly did that message come from? According to the Guardian:

David Cameron revealed that the messages only came to light after the attack "as a result of a retrospective review by the company". Sir Malcolm Rifkind, chair of the ISC. said the information was given to GCHQ "by a third party" on a confidential basis.

So who gave that information to GCHQ? The statement above makes it clear it wasn't Facebook itself but a "third party". Who else had access to such private messages? Someone at the company? Maybe, although that seems very unlikely given the company's awareness of how big an issue this would be.

Another obvious candidate is the NSA. Snowden has told us that it accesses and stores vast quantities of messages as they flow across the Internet; given the nature of the conversation, and the keywords it contains, it seems quite likely that it was added to a database somewhere, "just in case". Perhaps it was dug out at the request of GCHQ, which then passed it on to the company concerned -- in order to land it in hot water, and get MI5 off the hook. Just another benefit of being part of the Five Eyes club.

from the of-course-not dept

We recently wrote about the ridiculous performance put on by the UK Parliament in quizzing the editor of the Guardian, Alan Rusbridger, concerning the legality of reporting on the Snowden leaks. Now, it appears that the same committee sought to hold a hearing with the head of the British MI5 intelligence agency, Andrew Parker, in order to see if he could back up the claims that the Guardian's reporting had put UK citizens in danger. However, that's not happening. UK officials won't let Parker testify in front of the same committee. Why? Because.

The home secretary, Theresa May, told the home affairs committee chairman, Keith Vaz, that she had rejected the request for the spy chief to give evidence because his appearance would "duplicate" the existing oversight provided by the prime ministerially appointed intelligence and security committee.

And, indeed, it is true that the intelligence and security committee held a hearing on the topic not so long ago -- but, like the Congressional counterparts, it was almost entirely softballs allowing them to spew rhetoric, rather than answer serious questions concerning the intelligence community.

Even worse, it appears that the UK leadership is working extra hard to keep trying to pass a hot potato to make sure no one has to testify on this particular issue:

A similar request for Kim Darroch, the national security adviser, to give evidence to the committee's inquiry into counter-terrorism was also rejected in a letter from David Cameron. He said "it was not a good idea" because Darroch's role focused on providing private advice to him and the national security council and his appearance would "set a difficult precedent".

The prime minister said it should be left to the home secretary to give evidence to the MPs on their concerns about counter-terrorism and the Guardian's disclosures of mass digital surveillance by GCHQ and the US national security agency.

The decision prompted a furious reaction from Vaz, who said: "The prime minister has suggested that the home secretary should come before us to answer our questions and Theresa May is suggesting that it is a matter for the intelligence and security committee. We cannot play pass the parcel on the issue of accountability on these important issues.

While the US process has been something of a joke, at least Congress has been able to get James Clapper, Keith Alexander and others out to testify a bunch of times on these issues. Some in the UK, however, would apparently like to sweep the whole issue under the rug.

from the blame-game dept

Well, it appears that the head of the UK's MI5 is going on the offensive (and I mean that in multiple ways) concerning the Ed Snowden leaks, spreading a hilarious story claiming that it's Snowden (and to a lesser extent the Guardian) who have "helped the terrorists" with the leaks... and the UK press dutifully repeated the talking points as fact:

Revelations by Edward Snowden about British eavesdropping are a gift to terrorists because they weaken the ability of the security services to stop those plotting deadly attacks against the West, the head of the MI5 Security Service said on Tuesday....

[....] Though he did not mention Snowden by name, Parker warned about the danger of disclosures about the work of Britain's listening agency, known as GCHQ, whose capabilities were made public by media reports based on documents from Snowden stole.

"It causes enormous damage to make public the reach and limits of GCHQ techniques. Such information hands the advantage to the terrorists. It is the gift they need to evade us and strike at will," Parker said in his first public speech taking up his post as MI5 chief on April 22.

This is hogwash on multiple levels. First, it takes incredible self-obsession to claim that someone exposing your questionable activities should be blamed for the consequences of those questionable activities. That's what Andrew Parker doesn't seem to recognize: the problem isn't that Snowden revealed these things, it's that the intelligence community was doing it in the first place. Second, it's already been shown, repeatedly, that terrorists already assumed these kinds of surveillance efforts were ongoing, and were careful to avoid such easy routes of surveillance. Third, if the surveillance relies on keeping the entire concept secret, you're doing it wrong. For decades, criminals have known that the police have the ability to tap phones. There's a whole process involved with real oversight, and most people are now comfortable with the general idea of phone taps following a specific warrant and oversight. The point here is that you don't have to keep the fact that you tap these things a secret if you have sufficient oversight and controls to make sure they're not abused. But that's not what anyone did here.

But, really, these stories of doom and gloom are pretty laughable given that there's been almost no evidence that these surveillance techniques have ever actually stopped terrorist attacks in the first place.

from the strange-bedfellows dept

The debate over the Digital Economy Bill in the UK (the attempt to ratchet up copyright law to repay favors to an entertainment industry that is slow to adapt) has taken an odd twist. Cory Doctorow over at Boing Boing has the details of a leaked memo from the BPI (pdf) to a bunch of recording industry execs and lobbyists, that details the state of the bill and the ongoing strategy for getting it approved. There are a few items worth noting:

The BPI seems to think that the UK intelligence community is now the biggest threat to stopping the bill. Seriously. Apparently, UK spies are afraid that passing this bill will drive a very large number of people to switch to using encrypted internet tools, making it that much more difficult to spy on them. This may be an accurate concern, but it's surprising to hear that the intelligence community is now considered the biggest hurdle to getting the bill passed. Apparently, the BPI is fairly unconcerned with consumer rights groups. The BPI seems so paranoid about the intelligence community, that it actually suggests in the memo that the British spying agency MI5 may have paid for a recent survey released by the ISP Talk Talk, saying that 71% of those 18-34 years old would continue to file share, using "undetectable means."

The memo also mocks the fact that this particular bill now has the Open Rights Group on the same side of an issue as MI5 -- when the two are normally somewhat diametrically opposed.

While the BPI sounds fairly confident that the bill will get through, it recognizes that it could get stalled if enough Members of Parliament start asking questions about the speed with which the bill is being pushed through:

As for the House of Commons -- which will be sent the Bill next week -- there is a strange sense of detachment. MPs with whom we spoke back in Autum are already resigned to the fact that they will have minimum input into the provisions from this point on, given the lack of time for detailed scrutiny. One leading backbencher has told us that there is "little point in meeting, since the Bill will be determined at wash-up". That said, John Whittingdale -- an inveterate "timing sceptic" (i.e. he's for the Bill but doesn't think it will get through in time) has said this week that he still thinks it could be lost if enough MPs protest at not having the opportunity to scrutinise it. Whilst true in constitutional theory terms, the hard politics of the situation makes it seem unlikely. And inveterate opponents like Derek Wyatt and Tom Watson continue to blog and tweet with critical comments, but there is not the sense of a groundswell of massive opposition to the Bill.

In other words: if you live in the UK, now is the time to start speaking up and contacting your elected officials, as well as letting others know that a bill to greatly take away your rights is about to be pushed through the House of Commons, unless you speak up now.

Finally, among the "upcoming" activities, the memo mentions that on Wednesday the 18th, there will be a release of a report from TERA on "The importance of saving jobs in the EU's Creative Industries." We see these types of reports all the time, and they're usually poorly thought out and poorly argued, assuming, incorrectly, that a loss of jobs in one part of an industry might not be made up elsewhere, and rarely (if ever) paying attention to the fact that artificially propping up one part of the industry has massive negative consequences for other areas in the economy. So let's see what this report says. But assuming you start seeing press reports about this later this week, make sure to read through them with a critical eye.

from the didn't-see-that-coming dept

Those who believe that kicking people off the internet based on accusations of file sharing is an affront to basic due process and civil rights have perhaps an unexpected ally: UK law enforcement and intelligence services have come out against Peter Mandelson's "three strikes and your off the internet" plan. Of course, they're not as concerned about due process and civil rights, as they are about making it more difficult to track down criminals online:

Law enforcement groups, which include the Serious and Organised Crime Agency (Soca) and the Metropolitan Police's e-crime unit, believe that more encryption will increase the costs and workload for those attempting to monitor internet traffic. One official said: "It will make prosecution harder because it increases the workload significantly."

A source involved in drafting the Bill said that the intelligence agencies, MI5 and MI6, had also voiced concerns about disconnection. "The spooks hate it," the source said. "They think it is only going to make monitoring more difficult."

Enforcement groups are also unhappy that the Government's change of plans has left them little time to draw up a response. Lord Mandelson's intervention came two months after the Government's Digital Britain report, published in June, failed to back disconnection.

So, the government's own plan said no to kicking people off the internet. The police and the intelligence services are saying no to it. Why is Mandelson still supporting it?